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Abstract 

We propose a group membership service for dynamic ad hoc networks. It maintains 
as long as possible the existing groups and ensures that each group diameter is always 
smaller than a constant, fixed according to the application using the groups. The pro- 
posed protocol is self-stabilizing and works in dynamic distributed systems. Moreover, 
it ensures a kind of continuity in the service offer to the application while the system is 
converging, except if too strong topology changes happen. Such a best effort behavior 
allows applications to rely on the groups while the stabilization has not been reached, 
which is very useful in dynamic ad hoc networks. 

Keywords: Group maintenance, Best effort, Stabilization, Dynamic network 



1 Introduction 

Self-stabilization in dynamic networks. A dynamic network can be seen as an [a priori 
infinite) sequence of networks over time. In this paper, we focus on dynamic mobile net- 
works. Examples of such networks are Mobile Ad hoc networks (MANETs) or Vehicular Ad 
hoc networks (VANETs). 

Designing applications on top of such networks require to deal with the lack of infrastruc- 
ture [20, 15]. One idea consists in building virtual structures such as clusters, backbones, or 
spanning trees. However, when the nodes are moving, the maintenance of such structures 
may require more control. The dynamic of the network increases the control overhead. Thus, 
distributed algorithms should require less overall organization of the system in order to remain 
useful in dynamic networks. 

Another paradigm for building distributed protocols in mobile ad hoc networks consists 
in designing self-stabilizing algorithms [4]. These algorithms have the ability to recover by 
themselves {i.e., automatically) from an inconsistent state caused by transient failures that 
may affect a memory or a message. A topology change can be considered as a transient 
failure because it leads to an inconsistency in some memories. Indeed, when a node appears 
or disappears in the network, all its neighbors should update their neighborhood knowledge. 
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Self-stabilizing algorithms have been intensively studied the two last decade for their ability 
to tolerate transient faults [8]. However, it is important to notice that such algorithms do not 
ensure all the time the desirable behavior of the distributed system, especially when faults 
occur and during a certain period of time following them. In dynamic systems, it becomes 
illusory to expect an application that continuously ensures the service for which it has been 
designed. In other words, what we can only expect from the distributed algorithms is to behave 
as "the best" as possible, the result depending on the dynamic of the network. 

In this paper, we propose a new approach in the design of distributed solutions for dynamic 
environments. We borrow the term "best-efforf from the networking community to qualify 
the algorithms resulting of our approach. Roughly speaking, a best-effort algorithm is a self- 
stabilizing algorithm that also maintains an extra property, called continuity, conditioned by 
the topology changes. 

Continuity aims to improve the output of the distributed protocol during the convergence 
phase of the algorithm, provided that a topological property is preserved. This means that 
there is a progression in the successive outputs of the distributed protocols, except if the 
network dynamic is too high. This is important in a distributed system where the dynamic 
(that is, the frequent topology changes) can prevent the system to converge to the desirable 
behavior. Since the output of the protocol will certainly be used before the stabilization, the 
continuity ensures that third party applications can rely on it instead of waiting. The output 
will certainly be modified in the future, but without challenging previous ones. 

In some aspects, our approach is very close to the ones introduced in [16] and in [9]. In [16], 
the authors introduce the notion of safe-convergence which guarantees that the system quickly 
converges to a safe configuration, and then, it gracefully moves to an optimal configuration 
without breaking safety. However, the solution in [16] works on a static network. In [9], 
the authors use the notion of passage predicate to define a superstabilizing system, i.e., a 
system which is stabilizing and when it is started from a legitimate state and a single topology 
change occurs, the passage predicate holds and continues to hold until the protocol reaches 
a legitimate state. By contrast, the continuity property is intended to be satisfied before a 
legitimate configuration has been reached. It must be satisfied during the stabilization phase, 
and between two consecutive stabilization phases (convergence phase followed by stability 
phase) . 

We illustrate our approach with a new group management protocol adapted to vehicular 
ad hoc networks (VANET), an emblematic case of dynamic ad hoc networks. 

Dynamic group membership service in VANET. The Intelligent Transportation Sys- 
tems (ITS) currently attract a lot of attention. It is expected that such systems could improve 
the road safety, offer a better resource usage, increase the productivity, reduce the impact of 
transport on the environment. ITS is extensively studied by both theoretical and experimental 
researchers, especially the vehicular ad hoc networks (VANET), showing characteristics that 
are different from many generic MANETs [3]. 

Many VANET applications require cooperation among close vehicles during a given period: 
collaborative driving, distributed perception, chats and other infotainment applications. Vehi- 
cles that collaborates form a group. A group is intended to grow until a limit depending on the 
application. For instance, the distributed perception should not involve too far vehicles, a chat 
should be responsive enough, that limits the number of hops, etc. When the group diameter is 
larger than the bound given by the application, it should be split into several smaller groups. 
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However, a group should not be split if this is not mandatory by the diameter constraint in 
order to ensure the best duration of service to the application relying on it. Even if another 
partitioning of the network would have been better {e.g., less groups, no isolated vehicle), it 
is preferable to maintain the composition of existing groups. It is expected that, thanks to 
the mobility of the nodes, small groups will eventually succeed in merging. It is then more 
important to maintain existing groups as long as possible. 

To achieve this specific group membership service, we propose a self-stabilizing distributed 
algorithm in a wireless communication model. This algorithm stabilizes the views in such a 
way that all the members of a group will eventually share the same view (in which only the 
members appear). The groups' diameters are smaller than a fixed applicative constant Dmax 
and neighbor groups merge while the diameter constraint is fulfilled. Moreover, our algorithm 
admits the following continuity property: no node disappears from a group except if a topology 
change leads to the violation of the diameter constraint (or a node leaves). 

To the best of our knowledge, only a few number of papers addresses the problem of group 
membership maintenance in the context of self-stabilization. Recently, in [6], the authors 
propose a self-stabilizing A;-clustering algorithm for static networks. In [10], the authors propose 
a self-stabilizing group communication protocol. It relies on a mobile agent that collects and 
distributes information during a random walk. This protocol does not allow to build groups 
limited to A; hops. 

Group communication structures have been proposed in the literature to achieve fault- 
tolerance in distributed systems [2], by providing for instance replication, virtual synchrony, 
reliable broadcast, or atomic broadcast {e.g., [19, 14]). Other works deal with the ^-clustering 
or A:-dominating set problem, e.g., [5, 1, 17, 18, 16], where nodes in a group arc at most at 
distance k from a cluster-head or dominant node. The aim of these algorithms is to optimize 
the partitioning of the network. The group service we propose in this paper is different in the 
sense that its aim is not to optimize any partitioning nor to build group centered to some nodes. 
Instead, it tries to maintain existing groups as long as possible while satisfying a constraint on 
the diameter, without relying on a specific node (that may move or leave). 

Contributions. In Section 2, we describe the distributed system we consider in this paper. 
We also state what it means for a protocol to be self-stabilizing and best effort regarding 
a continuity property conditioned by topology changes. Next, in Section 3, we specify a 
new group service (inspired from VANET). In the same section, our best-effort self-stabihzing 
algorithm is presented. The proofs are given in Section 4. Finally, we make some concluding 
remarks in Section 5. By lake of place, some proofs are in appendix. 

2 Model 

We consider a system S composed of mobiles nodes that communicate by wireless communi- 
cation devices. 

Node. Let be a set of nodes spread out in an Euclidean space. The total number of nodes 
in V is finite but unknown. Each node is equipped with a processor unit (including local 
memory) and a wireless communication device. A node can move in the Euclidean space. A 
node u has either the state active or passive. If it is active, a node u can compute, send and 
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receive messages by executing a local algorithm. The distributed protocol V is composed of all 
the local algorithms. 

Communication. Wc define the vicinity of a node v as the part of the Euclidean space from 
where a node u can send a message that can be received by v (the vicinity depends on the 
communication devices, the obstacles, etc.). A node v can receive a message from u if (i) both 
u and V are active, (ii) u is in the vicinity of v, (Hi) u is sending a message, {iv) no other node 
in the vicinity of v is currently sending a message, and {v) v is not sending a message itself 
(any active node that is not sending is able to receive). 

Wc admit the following fair channel hypothesis: there exists two time constants ri and T2 
with Ti > T2 such that, starting from a date t, any node v is able to receive before the date 
i + Ti a message from each node providing that u is in the vicinity of v between t and t-\-T\ 
and attempts to send a message every units of time. As in [10] , we use timers rather than 
an asynchronous distributed algorithm for discovering the neighborhood because our approach 
is intended to dynamic networks with too frequent changes for considering an asynchronous 
distributed algorithm. 

At any time instant there is a communication link from u to v ii both u and v have 
the state active (at t), and if u is into the vicinity of v (at t). A communication link is 
oriented because u could be in the vicinity of v while the converse is false. The capacity of a 
communication link is one message. 

Dynamic. Since nodes can move and change their states, the topology of the system S 
evolves over time. Even if a communication link exists from uio v &X, date t, a communication 
may fail because previous conditions are not fulfilled, or because the duration of the link is too 
short. 

The dynamic of a network is in fact a relative notion, depending on both the dynamic of 
the nodes (moving and state changing) and the speed of the messages. Indeed, even if the 
nodes move slowly, if the communication are very slow, some distributed applications may 
fail. Conversely, the nodes could move rapidly without disturbing distributed applications if 
communications are efficient. We then introduce the following metric of dynamic. 

The system S is 5-dynamic if any node u experimenting a neighborhood change is able to 
send a message to all the nodes v at distance smaller than or equal to 5 before a new topology 
change occur (note that during this message propagation, the topology is fixed). In the rest of 
this paper, we admit the following hypothesis: S is 1-dynamic. 

Executions. A configuration c of iS is the union of the states of memories of all the processors 
and the contents of all the communication links. An empty communication link is denoted in 
the configuration by a link that contains an empty set of messages; obviously a non existing 
communication link is not reported in the configuration (this is important to tackle topology 
changes). Let C be the set of configurations. 

An execution of a distributed protocol V over 5 is a sequence of configurations Co,Ci, . . . 
of S which (i) does not contain successive identical configurations (V? G N, 7^ Qi+i); (ii) 
contains all the successive configurations the system S reached by executing the distributed 
protocol P, providing that at least one node has noticed the change and (iii) is either infinite, 
or the computation is finite, no action is enabled and no message is in transit in the final 
configuration (this implies that links remain stable). 
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By consequence, any topology change detected by at least one node leads to a new con- 
figuration. There is then a single topology per configuration; we denote by Gj the topology 
of <S during the i-th configuration. In a static system S, we have Gj = Go in every execution 
Co, Ci, C2, Otherwise, the system S is said to be dynamic. 

Self-Stabilization. Let A" be a set. Then a; h 11 means that an element x & X satisfies the 
predicate 11 defined on the set X and X \- U with X C X means that any x E X satisfies 
X h n. We define a special predicate true as follows: \/x E X, x \- true. Let Hi and 112 be two 
predicates defined on the set of configurations C of the system S. II2 is an attractor for IIi if 
and only if the following condition is true: for any configuration Ci h Hi and for any execution 
e = ci, C2, . . ., there exists i>l such that for any j > i, cj h 112. 

Define a specification of a task as the predicate U on the set C of configurations of system 
S. A protocol V is self-stabihzing for n if and only if there exists a predicate C-p (called the 
legitimacy predicate) defined on C such that the following conditions hold: 

1. For any configuration Ci h C-p, and for any execution e — Ci,C2, we have e h H 
(correctness). 

2. n is an attractor for true (closure and convergence). 

Best effort continuity of service. We denote by Ut sl topological predicate defined on the 
pairs of successive configurations in an execution. Such a predicate is intended to be false when 
an "important topology" change happens. We denote by n^; a continuity predicate defined on 
the pairs of successive configurations in an execution. Such a predicate is intended to be false 
when the quality of the outputs produced by protocol V in the two successive configurations 
decreases. 

The protocol V offers a best effort continuity of services if Ut =^ H^. 

3 Dynamic Group Service 

In this section, we first state the group membership service considered in this paper. Next, we 
present an algorithm for this problem, followed by its proof. 

3.1 Specification 

Let G{V, E) be a graph. Let d{u, v) be the distance between u and v (length of the shortest 
path from uio v vaG). A subgraph H{Vh,Eh) is defined as follows: Vh Q V and \/{u,v) e 
E, {u e Vh and v e Vh) ^ {u, v) e Eh- Two subgraphs Hi{Vi, Ei) and i?2(V2, £'2) of a graph 
G are said distinct if V1UV2 = 0. Let X C be a set of nodes. We denote by dx{u,v) the 
distance between u and v in the subgraph H{X, Eh), that is, the length of the shortest path 
from u to V with only edges of Eh- If such a path does not exists, then dx{u, v) = +00. 

Given a graph G, the problem considered in this paper consists in designing a distributed 
protocol that provides a partition of G into disjoint subgraphs called groups that satisfies 
constraints described below. 

Denote by view^ the knowledge of v about its group in configuration c (output on node v). 
Let be the predicate defined on the configurations and called agreement property: IIa{c) 
holds if and only if there exists a partition of disjoint subgraphs ifi(V^i, i?i), ^^2(^2, -E2), • • • , 
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Hi{Vi, Ei), ... of G{V, E) such that for every pair u,v, u and v &Vi^ view^ = view^ = 

Let VL'^ be the group of v in configuration c, defined by: (i) Qf^ — view^ if f e view^ 
and Vm G view,^,, view^ = view^, (ii) = {f} otherwise. Note that given any configuration 
c, if n^(c) holds, {^yiV G V} defines a partition of G into disjoint subgraphs of G, z.e., 
there exists a partition of disjoint subgraphs ii^i), i72(V'2, -E'2), . . . , . . . such 

that Vv G Fj, O,^ — Vi for every subgraph Hi. 

Let Dmax be an integer representing the maximal admissible distance between two nodes 
belonging to the same group. Let 115 be the predicate defined on the configurations and called 
safety property: Tls{.c) holds if each group is connected and its diameter is smaller than Dmax. 
More formally 115(0) = V^; G F, maxaj^j^g^c d^^{x,y) < Dmax. 

Let Hm be the predicate defined on the configurations and called maximality property: 
nj\^(c) holds if by merging two existing groups, we cannot obtain a partition satisfying the safety 
property. More formally IIm{c) = Wu,v G V with ^ fi^, 3x,y G U fi^, dncuQc{x,y) > 
Dmax. 

The problem considered in this paper is to design a self-stabilizing protocol regarding 
predicates A 115 A Um- after the last failure or topology change, the algorithm converges in 
finite time to a behavior where H^, Us, and Um are fulfilled. 

Note that the above requirement is suitable for fixed topologies only. The following predi- 
cate deals with dynamic system, i.e., with topological change of the network. Let C^^V^, E"^) 
be the graph modeling the topology of the system at configuration c. We introduce the fol- 
lowing notation: d'^ refers to the distance in the graph C^, and dx{u,v) denotes the distance 
between u and v in by considering only edges of the subgraph H(X, Eh) of C^. Define the 
topological property as the predicate IIt defined on any couple of two successive configurations 
Ci,Cj+i of an execution e as follows: nr(ci,Cj+i) holds if, for any pair of nodes belonging to 
the same group in q, the distance between them will still be smaller than Dmax in Cj+i. In 
other words, if a topology change occurred between Cj and q+i, it has preserved the maximal 
distance condition. More formally, IlT{ci,Ci+i) =yv &V, max^^g^cj d'^t^{x,y) < Dmax. 

Finally, we are looking for protocols attempting to preserve a group partition when a topol- 
ogy change occurs. Let He be the predicate defined on the couples of successive configurations 
and called continuity property: Ilc{ci, Q+i) holds if in any group, no node disappears. In other 
words, an application can work with the given view because it defines a group in which no 
node will disappear. More formally, Ilc{ci,Ci+i) = Vv G Q^* C Obviously, if the 

dynamic of the network is too large, such a property cannot be satisfied. We then introduce 
the best effort requirement: =^ He- 

3.2 Distributed Protocol 
3.2.1 Informal description 

For a given node, the candidates to form a group are neighbors up to distance Dmax. Nodes build 

lists of candidates by diffusing messages in the neighborhood (see under). Only symmetric links 
are taken into account. In O(Dmax) the knowledge of the Dmax neighborhood can be known. 
Malformed lists are rejected (such as lists larger than Dmax). Moreover, when a node receives 
a list which is too long compared to its current list, it rejects it to avoid any split of its current 
group. 

When a node enters in a new group, its arrival will be propagated to the group's members 
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in O(DmcLx). Such an arrival can increase the diameter of the group. A new member will be 
accepted only if the diameter constraint is respected. Two nodes could be accepted concurrently 
by two distant members of a given group and the diameter constraint is no more fulfilled for 
this group. In this case, one of the new member must leave the group (instead of splitting the 
existing group). To avoid any inopportune change in the views, a new member enters in the 
view of a node after the end of its quarantine period. This allows to guarantee that its arrival 
has been approved by all the members (no conflicts) . 

When a node has to leave the group to fulfill the diameter constraint, the choice is done 
using priority (function pr). Priorities are totally ordered; if pr(-u) < pr(f), then u has the 
priority. We do not detail pr in this paper. This may be the identity of the nodes, but 
dynamic priorities are more useful. For instance, if priorities are based on nodes' identities, 
a new member with a small identity may split an old group just after entering it because it 
moves too far (consider a group of vehicles in a stable convoy and a rapid vehicle that overtakes 
the convoy). To the contrary, if priorities are based on the logical date of entrance into the 
group (implemented using time-stamps), then this is the last arrived node that will leave (the 
vehicles that overtakes). 

Priorities on the nodes allow to easily define priorities on the groups by taking the smallest 
priority of the members^. Priorities on the groups allows to ensure the merging of neighbor 
groups (and the maximality property Um) in particular cases (loop of groups willing to merge). 

3.2.2 Building the lists of ancestor sets 

The messages sent to the neighbors contain ordered list of ancestors ' sets. The ordered list of 
ancestors' sets of a node v is defined by: (a°, a^, . . . , a^) where any node a; G a* satisfies 
d{x, v) = i (a° = {v}) and p is the distance of the farthest ancestor of v. 

Computations are done using the r-operator ant [7, 13, 11]. Let § be the set of lists of 
vertices' sets. For instance, if a,b,c,d,e are vertices, {{d},{b},{a,c}) and {{c} , {a, e} , {b}) 
belong to §. Let © be the operator defined on § that merges two lists while deleting needless 
or repetitive information (a node appears only one time in a list of ancestors' sets). For 
instance, ({d}, {6}, {a, c}) © ({c}, {a, e}, {6}) = ({d, c}, {6, a, e}, {a, c, 6}) = ({d, c}, {6, a, e}). 
Finally, let r be the endomorphism of S that inserts an empty set at the beginning of a list. 
For instance, r{{d,}, {b}, {a.c}) = (0, {rf}, {&}, {a, c}). We then define the operator ant by: 
ant(/i. I2) = /i ©r(/2), where li and I2 are lists belonging to S. This is a strictly idempotent r- 
operator [11] inducing a partial order relation. It leads to self-stabilizing static tasks (building 
the complete ordered lists of ancestor sets) in the register model [13]. Since our wireless 
communication model admits bounded links, these results can be extended to this model. 
(Refer to the discussion related to r-operators in wireless networks in [7].) 

3.2.3 Algorithm 

The distributed protocol Dynamic Group Service is composed of a single algorithm per node 
(uniform protocol), see below. Each node computes its output (list, view and priorities) when 
its timer Tc expires. It broadcasts its output in the neighborhood when the timer Tg expires 
{Tg < Tc). Timers Tc and Tg are chosen according to the fair channel hypothesis. In case 
both Tc and Ts expire simultaneously, we assume that the action related to Tc are performed 



^During the stabilization, the topology is supposed to be fixed and then no node leaves. The dynamicity is 
taken into account thanks to the best effort property. 



before those of Ts (computation before sending) in order to avoid any fairness problem (no 
computation) . 

All messages received from the neighborhood are collected in msgSet. If a neighbor sends 
more than one message before the timer expiration, only the last received is kept. After 
computation, the variable msgSet is reset in order to detect when a neighbor leaves. 

Algorithm Dynamic Group Service (node v) 

1 Upon r(X-optioii of a. iiw^ssugc msg sent b\" a. iiotk^ u: 

2 update message of u in msgSet 

3 Upon Tc timer expiration: 

4 compute() 

5 reset msgSet 

6 restart timer Tc with duration n 

7 Upon Ts timer expiration: 

8 send( list„ with priorities, priority of view„ ) to the neighbors 

9 restart timer Tg with duration T2 

A computation (in procedure compute, below) consists in building the ordered list of an- 
cestor' sets as well as the view. The list is sent to the neighbors to be used in their ant 
computation. The view is the output of the protocol used by the third party applications (eg. 
chat, collaborative perception...) which requested the dynamic group service, and which gave 
the diameter constraint Dmax (fixed during all the execution). 

First, the incoming lists are checked. Line 3, when the list sent by u and received by v 
does not contain v, is malformed or is too long^, it is replaced by (u). When u receives the list 
of V containing u, it accepts the list of v and sends a list containing v. Thanks to this triple 
handshake, the link has been detected as symmetric (by the way, asymmetric link information 
are not propagated). 

Line 6, if the received list is too long, the sender u is marked as incompatible (u) . Roughly 
speaking, a list received by a node u from another node v is compatible if, by combining its 
list with the one of v, u does not increase the diameter of its group beyond Dmeix. In order 
to reach this goal, it is enough to test if the sum of the lengths of both lists is less than or 
equal to Dinax+ 1. But, such simple test would avoid to merge two groups by taking advantage 
of short cuts between both groups. In other words, this would ignore the knowledge that 
nodes of a group have on nodes belonging to the other group. The technical condition used in 
Function compatibleListO deals with such an optimization. 

Line 9, if the sender is external to the group, the priorities of the nodes inside its lists are 
replaced by the priority of its view (received with its list Line 8): inter-groups comparisons are 
realized using groups' priorities instead of nodes' priorities. 

Then a first computation is performed using the ant operator (Lines 13-16; this computation 
ought to be performed inside the first f orall loop but we preferred to separate it for clarity). 
Thanks to the goodList test, the size of the incoming lists are smaller than Dmax -|- 1. However, 
the computed list could reach the size of Dmax + 2 while the maximum is Dmax + 1 (the ant 
operation increases by one the list sizes). In this case, a choice has to be done between either 
the local node v or the farthest nodes in the received lists. This choice is done by using the 
priority (function pr. Line 19). If the local node v has not the priority on the too far node 
w (positions in the list start from to Dmax;-|-1 here), the list in which w appears are ignored 

^s(list) returns the number of elements in list; list.i returns the zth element of list, starting from 0. 



(Line 22). At the opposite side of the group, node w keeps the hst containing v but the end of 
its ordered hst of ancestor's sets wiU be truncated (meaning that v and w will not belong to 
the same group). Indeed, after the too far nodes have been all examined, the list of ancestors 
is computed again (Lines 27-30) and is truncated (Line 31) in order to delete the too far nodes 
(these remaining too fare nodes have less priority than v). 

In order to not include a node in a view while it could be rejected later, a quarantine 
mechanism is used. The quarantine period of a node willing to enter in a group is fixed at 
Dmax timers. Each time a computation is done (and then the new node progresses in the 
group), its quarantine period decreases. Since the group diameter is less than or equal to 
Dmax, any conflict would have been detected before the new node enters into a view. Moreover, 
if a member of the group accepts the new node, then all the members will accept it. The 
procedure compute () is given below. 

Procedure compute () 



t> Checking the received lists 

1 for all list„ in msgSet do 

2 delete marked nodes except v_ in list„ > Marked nodes are only useful between neighbors. 

3 if -1 goodList(list„) then > List of u cannot be used; 

4 replace list„ by (u) in msgSet t> this list is ignored but the sender is kept. 

5 end if > Now, incoming lists cannot he larger than Dmax. 

6 if M ^ view„ and ^ conipatibleList(list„) then > u is new, hut its list cannot he accepted; 

7 replace list„ by (u) in msgSet > u is denoted as an incompatible neighbor 

8 end if 

9 if u ^ view^ then > If the sender is external, using group priorities. 

10 update priorities in list„ with priority of view„ 

11 end if 

12 end for 

i> Computing the list of ancestors' sets of v. 

13 list^ <— (v) 

14 for all list„ G msgSet do 

15 list„ ant(list^, list„) > Computation using the ant r-operator. 

16 end for 

i> Removal of incoming lists containing too far nodes (after ant computation, list^ cannot be larger than 
Dmax +1) 

17 if s(listi,) = Dmax + 2 then > The list is too long. 

18 for all w at position Dmax + 1 in list^, do > Scanning too far nodes. 

19 if pr(w) < pr(v) then o Far node w has the priority. 

20 for all list„ G msgSet do o Looking for lists that provided w; 

21 if w is at position Dmax then > they contain w in their last place. 

22 replace list„ by (u) in msgSet t> The neighbor that provided w is ignored. 

23 end if 

24 end for 

25 end if 

26 end for 

i> Computing listy again, without the incoming lists that contained too far nodes with priority. 

27 list^ <— {v) 

28 for all list„ in msgSet do 

29 listv <— ant(listv, list„) 

30 end for 

31 keeping up to Dmax + 1 first elements in list^ > Deleted too far nodes have not the priority. 

32 end if 

33 Update quarantines: quarantine of new nodes is Dmax, non null quarantine of others decreases by 1 
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34 viewj, ■*— non marked nodes in list,, with null quarantine 

35 Update priorities t> Depends on the kind of priorities used. 



Function goodList(list) 

1 if V or v_ arc in list.l and s(list) < Dmax + 1 and ^ list then 

2 return true 

3 end if 

4 return false 

Function compatibleList(list) 

1 if s(list„) + s(list) < Dmax + 1 or 

3i G {0, . . . , s(list^)}, list^.i C list.l A min (s(list„) + s(list) + 1 — i, s(list) + 1 + i/2) < Dmax 

2 return true > Refer to Proposition 13. 

3 end if 

4 return false 



4 Proofs 

We first focus on the self-stabilizing property of our algorithm. We show that assuming a 
fixed topology, the system converges in finite time to an execution satisfying the statements 
in Subsection 3.1, i.e., Ylg A 11^ A Hm is an attractor. Next, we prove that, assuming topo- 
logical changes preserving the maximal distance condition over the groups, then continuity is 
preserved, i.e., =^ n^. 

4.1 Stabilization 

In the sequel, we prove that our protocol is self-stabilizing by showing that Ylg and 11^ and 

Hm are attractors — Propositions 8, 7 and 12, respectively. 

We begin by showing that eventually lists will become correct (Propositions 1 and 2). We 
first prove that any execution cannot remain infinitely with configurations having lists larger 
than DmcLX. We denote by eumax the suffix of an execution e such that, for any configuration 
c e eDmax, for any node v & V , the size of list^ is smaller than or equal to Dmax -|- 1. 

Proposition 1 (Dmax) On a fixed topology, any execution e reaches in finite time a suffix 

Starting from this proposition, we now prove that any execution cannot remain infinitely 
with configurations having a non existing node in a list. We denote by Cgxist the suffix of 
an execution e such that, for any configuration c G Cexist, for any node v ^ V , every node 
u e list^ satisfies u & V. 

Proposition 2 (Exist) On a fixed topology, any execution e reaches in finite time a suffix 

Next, we establish the connection between marked nodes in the algorithms and subgraphs 
(Propositions 3, 4, 5 and 6). We call double-marked edge an edge {u,v) such that either u 
double- marks voiv double- marks u (denoted by u in the algorithm). The following proposition 
is a consequence of the double-marked edge technique. A node v double-marks its neighbor 
u only if the list sent by u cannot be accepted by v (Lines 7 and 22). In this case, node v 



will ignore the list sent by u. Reciprocally, if u has been double-marked hy v, u will detect an 
asymmetric link {u does not appear in the list it received after Line 2) and only the identity 
of V will be kept by u, the rest of the hst of v will be ignored (Line 4). 

Proposition 3 (No propagation) Let u and v be two vertices of G and suppose that, in 
any execution e, there exists a configuration Ce from which any path from u to v in G contains 
a double-marked edge. Then u will eventually disappear from listl and v will eventually 
disappear from lisf^. 

The following proposition is a consequence of the ant computation (see Section 3.2.2). 
It propagates nodes identities (providing there is no edge-marking technique for limiting it) 
[13, 7]. 

Proposition 4 (Propagation) Let u and v be two vertices of G and suppose that, in any 
execution e, there exists a configuration Ce from which there exists a path from u to v in G 
without double-marked edge. Then listl will eventually contain u and list^ will eventually 
contain v. 

Proposition 5 (Double-mcirked edge) Suppose that d{u, v) > Dmax. Then any execution 
admits a suffix Cedge such that, for any configuration c e Cedge, there is a double-marked edge 
on any path from u to v. 

Let denote by H^{Vh^, Eh^) the subgraph of G{V, E) defined in the configuration c by: for 
any node u in V^^, v e list^. Such a subgraph is composed of vertices containing v in their 
list. We prove that eventually if„ and are distinct when d{u, v) > Dmax. 

Proposition 6 (Subgraphs) Suppose that d{u, v) > Dmax. Then any execution admits a 
suffix Csubgraph such that, for any configuration c e Csubgraph, and are distinct subgraphs. 

The preceding propositions give the Agreement. Consider any execution Cgubgraphs- Denote 
by Cagree the suffix of an execution e such that n^(c) holds for any configuration c G eagree; 
that is Vh^ — view^ for any w e H^. The following proposition is given by Propositions 6, 4 
and 3. 

Proposition 7 (Agreement) On a fixed topology, any execution e reaches in finite time a 

S'^ffi^ ^ agree- 

Proof. By Proposition 6, for any execution, there exists a suffix such that, for any nodes u 
and V in G, if d{u, v) > Dmax, then the subgraphs if„ and if„ are distinct. Consider now two 
nodes w and v such that w belongs to 

By Proposition 4, for any execution, there exists a suffix such that, for any configuration c in 
this suffix, the identities of will be in list^. 

By Proposition 3, for any execution, there exists a suffix such that, for any configuration c in 
this suffix, the list^ contains only vertices of H^. 

After the end of the quarantine period, all the nodes in list^ belong to view^. Then the 
system reaches a suffix in which all the nodes of H^j and only these nodes appear in view^u, for 
any vertex w e Hy. Hence, view^ = view^ = 11^,. This gives Ua- D 



Now we have the agreement, there is a connection between subgraphs and groups. We then 
prove the Safety. Consider any execution Cagree (Proposition 6). Denote by Cgafe the suffix of 
an execution e such that ns (c) holds for any configuration c e Cgaie- The foUowing proposition 
is a consequence of Proposition 6. 

Proposition 8 (Safety) On a fixed topology, any execution e reaches in finite time a suffix 

^safe- 

Proof. By Proposition 6, for any execution and any nodes u and f in G satisfying d{u, v) > 
Dmax, the subgraphs and will eventually be distinct. Hence, for any execution, there 
exists a suffix Csafe such that, for any configuration c G Cgafe, for any vertex v in G, Diam(if^) < 
Dmax. 

Then, by Proposition 7, we have maxx^yen^ dno(^x,y) < Dmax. This gives Us- □ 
We consider any execution eagree ■ In order to prove the maximality property, we introduce 
the following definitions. An edge {u, v) is internal in a given configuration c if fi^ = fi^. In the 
converse case {Q^ ^ 1]^), it is external. An external edge involves double- marked nodes and 
it is then not propagated by the algorithm (marked nodes are deleted, see line 2 in Procedure 
compute 0). We denote by nee (resp. ndg) the function defined on C that returns the number 
of external edges in a given configuration (resp. the number of distinct groups in configuration 
c: ndg{c)^\{ni,veV}\. 

Proposition 9 // nee is decreasing along a suffix Cg of an execution e, ndg is also decreasing 
along Cg. 

Proof. Let {u, v) be an external edge in a configuration q and assume that it is an internal 
edge in configuration Cj+i. This means that Q^' ^ and Qu"*"^ = fll''^^. Hence nee(cj) > 
nee(ci+i) ndg{c,^ > ndg{ci+i). □ 
We prove that any execution reaches in finite time a suffix in which the function nee does 
not increase. We denote by enotincr such a suffix: Vci,Cj+i e enotincr, nee(ci+i) < nee(cj). 

Proposition 10 (Not incr.) On a fixed topology, any execution e reaches in finite time a 

Proof. Let c G eagree be a configuration (Proposition 7). Let (m,i') be an internal edge in 
configuration c. Then we have = and u is in listj. In order (w, v) becomes an 
external edge, one of its extremity (say v) would have double-marked the other (in Procedure 
compute 0). But this cannot happen after the goodList test (line 3) because c G esubgraphs- 
This cannot happen after the compatibleList test (line 6) because u is in already in view^. 
□ 

Now, we prove that any execution reaches in finite time a suffix in which the function nee is 
decreasing while Hm is not true. We denote by ejecr such a suffix: Vq G ejecr, ^M{ci) V 3cj G 
Cdecr, i < 3 and nee(ci) > nee{cj). 

Proposition 11 (Decrecising) On a fixed topology, any execution e reaches in finite time a 

suffix Cciecr- 
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Proof. Let c G Cnotincr be a configuration (Proposition 10). Starting from such a configuration, 
the nee function cannot increase. Suppose that Um is not true in c. Then, by definition of 
IIjv^, there exists two neighbors nodes x and y with different views that could merge their 
groups without breaking Us- By fair channel hypothesis, a timer later the system reaches a 
configuration c' in which x (resp. y) has received the list sent by y (resp. x). 

Without loss of generality, suppose that has the smallest priority among all the subgraphs 
that can merge, and fly has the smallest priority among all the groups that can merge with 

fix- 

During the compute () Procedure on x and y, the goodList tests are true because c' e enotincr 
and then c' e esafe- The compatibleList test is true on both x and y because they cannot 
have change their list since configuration c. Hence we obtain: x e list^ and y e list^. 

Since fly has the smallest priority among the neighbors of fix, no member of fix can receive 
a message from a group with a smallest priority. Therefore x will never receive and then will 
never send to y a list with a too far node with a smallest priority than y one's. Hence y will 
never double- mark x and x will remain in the list of y. 

Similarly, since fl^ has the smallest priority among the groups that can merge, no member of 
fly can receive a message from a group with a smallest priority. Therefore y will never receive 
and then will never send to x a list with a too far node with a smallest priority than x one's. 
Hence x will never double- mark y and y will remain in the list of x. 

After Dmax timer, the list of y (resp. x) has reached any u E fix (resp. fly) thanks to the fair 
channel Hypothesis. Moreover the quarantine of these new members reaches and they are 
now included in view^. Thus, the edge {x,y) becomes an internal edge. 

Hence, starting from configuration c with -iHm(c), the system reaches in finite time a config- 
uration c" with nee(c) > nee(c"). □ 
The following proposition is given by Propositions 9, 10 and 11; it shows that any execution 
reaches in finite time a suffix in which Hm is true. We denote by emax such a suffix. 

Proposition 12 (Maximality) On a fixed topology, any execution e reaches in finite time a 

Proof. By Proposition 10, the execution reaches a suffix enotincr such that the nee function 
will no more increase. By Proposition 11, the execution reaches a suffix e<iecr such that the 
nee function decreases while H^ is not true. Hence, while H^ is false, the number of external 
edges will eventually decrease. By Proposition 9, this means that the number of subgraphs 
will eventually decrease while Um is false. Since the graph is finite, the number of subgraphs 
cannot decrease infinitely and H^ will eventually become true. □ 

4.2 Continuity 

In this subsection, we consider the dynamic of the network. We show that if the continuity 
property is violated into a group, then their exists a pair of nodes belonging to that group 
such that the distance between them is larger that Dmax. The following technical proposition 
justifies the compatibleList test. 
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Proposition 13 (Compatible lists) Let v be a node having the list (a^, a^, . . . , a^) and 

assume that its neighbor w sends the list (a° , a^, . . . , a^). Then, the diameter of the group 
of V will remain smaller than or equal to Dmax after v accepts w if and only if there exists 
i E {0, . . . ,p} such that w is neighbor of all the nodes belonging to a\ and either p — i + l + g < 
Dmax or i/2 + q + 1 < Dmax. 

Proposition 14 For any execution e, for any configuration q in e, nr(cj, Q+i) ^ Ylc{ci-i Q+i). 

Proof. Suppose that there exists a configuration q and a node v such that view^' ^ view^'^\ 
Then there exists a node u such that u G view^^ and u ^ view^'"'"\ This cannot happen after 
u or V has added a new node in its view, thanks to the quarantine mechanism. This can only 
happen because either u or v removed a node from their views. 

Without loss of generahty, suppose that v removed a node x: x E view^' and x ^ view?"'"\ If 
X ^ view^'^^ then (i) the quarantine of x is not null or (ii) x is not in listS""*"^ or (iii) x is 
marked in list^'^^ (Line 34 in Procedure compute ()). 

(i) The first case is exclude because x was already in view^v 

(ii) In the second case, if v has not received the message of x while it received it before, 
then x left the neighborhood of v (fair channel Hypothesis). Moreover, x was not able to 
reach the neighborhood of a node w in before a timer expiration on v (that guarantees the 
propagation up to one hop of any message) thanks to the 1-dynamic Hypothesis. Hence, in 
configuration there is not path from x io v with only nodes of and d'2ti{x, v) — +oo. 
Thus -iHr(ci, Q+i) (a neighbor left). 

(iii) In the third case, if x is simple marked, its list is not good while it was in configuration q, 
which is exclude (Line 3). If a; is double-marked, this cannot happen after the compatibleList 
test (Line 7) because x was in view^\ If this happened after Line 22, then x sent a list with a 
too far node y such that pr(|/) < pr(v). liy ^ then y ^ view^\ Then the quarantine of y 
is not null and no node of has admitted y in its view. Therefore, thanks to Proposition 13, 
y would have never been propagated inside Q,'g until v, because of the compatibleList test 
(Line 6). Finally, if y G then the distance from y to f in configuration q+i is larger than 
Dmax: d^i'^/ (x, v) > Dmax and -iHT(cj, Q+i) {the group stretched out). □ 



5 Conclusion 

This paper introduces the best effort concept to complete the self-stabilization in dynamic ad 
hoc networks: a continuity of service is ensured if the dynamic of the network allows it. A new 
group membership service inspired from VANET has been specified; its aim is to keep existing 
groups as long as possible and with a diameter smaller than a constant. 

To achieve this specific group membership service, a self-stabilizing distributed algorithm in 
a wireless communication model has been designed and proved. The Dynamic Group Service 
stabilizes the views in such a way that all the members of a group will eventually share the 
same view (in which only the members appear). The groups' diameters arc smaller than a fixed 
applicative constant Dmax. Neighbor groups merge while the diameter constraint is fulfilled. 
Moreover, this algorithm admits the following continuity property: no node disappears from a 
group except if a topology change leads to the violation of the diameter constraint (or a node 



The protocol has been implemented and its performances are currently studied by simu- 
lation on Network Simulator, using several mobihty models. We believe that the best effort 
approach and the continuity property are promising for building useful services on dynamic ad 
hoc networks. 
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A r-operators: a summary 



When modeling the distributed algorithms with algebraic operators, interesting properties 
(termination, self-stabilization) can be ensured by simply checking some local properties of 
the operator. To stabilize a distributed algorithm while some loops exist in the network, the 
idempotency is required {x ■ x = x). However, the operators of the idcmpotcnt semi-groups 
(such as mm{x,y) in N) cannot converge in presence of transient faults [12]. By using an 
endomorphism (such as x i— > a; + 1 in N), these operators can be generalized in r-operators 
(such as in.m{x,y + 1) in N). The Abelian idempotent semi-group is then a particular case of 
r-semi-groups, where the endomorphism is the identity mapping x ^ x [11]. An r-operator is 
r-associative {x < {y < z) = {x <y) <r{z)), r-commutative {r{x) <y = r{y) < x), r-idempotent 
{r{x)<x = r{x)) and admits a left neutral element ( ). Under certain conditions, an r- 

semi-group induces a semi-group and this gives a method to build r-operators [11] : finding an 
Abelian idempotent semi-group (§, ©) and then an endomorphism r : S — > S. These algebraic 
structures admit an order relation. An idempotent r-operator satisfies Vx e S, x :<© x where 
:<0 is the order relation of the induced semi-group. When we have Vx G E>,x x, the 
r-operator is strictly idempotent. In [7], it has been proved that the strictly idempotent r- 
opcrators that induce a total order relation lead to self-stabilizing static tasks in unreliable 
messages passing. 
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B Proofs 



B.l Proof of Proposition 1 (Dmax) 

Proof. Starting from configuration ci, the system will reach in finite time a configuration in 
which every node has computed its list after expiration of its timer. After such a computation, 
the size of the lists is bounded by Dmeix + 1 (because it is truncated at the Dmax + 1 position, 
Line 31). □ 



B.2 Proof of Proposition 2 (Exist) 

Proof. Let c e ecmax be a configuration (Proposition 1). Let w be a node label such that u 

and denote by the set of nodes having u in their hst at position k in configuration c. Consider 
the function 0(c) defined by 0(c) = min{A; e N,U^ ^ 0} and 0(c) = cx) if VA; G N, f/^ = 0. 
We prove that is continuously growing along the execution to be eventually equal to infinity 
forever. 

Consider a node v in U^^^^y v contains u at position 0(c) in its computed list and no node in 
configuration c contains rt at a smaller position in its computed list. Until the next expiration 
of its timer, v cannot receive a list containing m in a smaller position than 0(c). Hence, the 
system will reach in finite time a configuration in which the node v has computed a new list that 
does not contain u at a position smaller than 0(c) + 1. After a timer (fair channel Hypothesis), 
the system reaches in finite time a configuration in which the neighbors of v have received this 
list. 

After finite time, any node v e ^^(c) ^"^^ do the same. The system then reaches in finite time 
after configuration c a configuration d in which U^^^-^ is empty, meaning that 0(c) < 0(c'). 

By iteration, is growing along the execution. Since the size of the lists is bounded by Dmax+ 1 
(Proposition 1), there exists a configuration c" reached in finite time after c in which 0(c") = oo, 
meaning that u does not appear anymore in the computed lists of the nodes forever. □ 



B.3 Proof of Proposition 5 (Double-marked edge) 

Proof. Let v and w two nodes of G such that d{v,w) — Dmax + 1. Without loss of generahty, 
we suppose that pr{w) < pr{v). Suppose that there exists a path from v to w that does not 
contain any double-marked edge. By Proposition 4, there exists a neighbor m of f such that 
u sends to w a list containing w. The size of this list is larger than Dmax. There is two cases, 
(i) u ^ view^. In this case, list„ is replaced by (u). (ii) u e view^. In this case, v computes 
a list using the one sent by u. Since d{u,v) > Dmax, the resulting hst is too long. Since 
pr{w) < pr{v), the computation will be done again without the list provided by u, which will 
be replaced by (u). In the two cases, u is double-marked by v. Hence, any path from u to v 
will eventually contains a double- marked edge. □ 
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B.4 Proof of Proposition 6 (Subgraphs) 



Proof. By Proposition 5, there exists a suffix si such that any path from u to v contains a 
double-marked edge. By Proposition 3, there exists a suffix S2 included in si such that for any 
configuration c in this suffix, u ^ list^ and v ^ list^. Then u ^ Hy and v ^ Hu- 

Let consider a node w such that w & and w G Hu- Then there exists at least one path from 
u to V containing w. The length of such a path is larger than Dmax. Then, by Proposition 5, 
it admits a double-marked edge, either on the subpath from ti to w or from the subpath from 
w to V. 

Now, let consider all the paths from u to v containing w; they all contain a double-marked 
edge. Suppose that for one path Pi, this double-marked edge is between w and v and for a 
second path P2, it is between u and w. Then, by considering edges of Pi from utow and edges 
of P2 from w to v, we obtain a path from u to v without any double-marked edge, which is a 
contradiction. Then, all paths from u to v containing w admit a double-marked edge, and this 
edge is always between u and w or always between w and v. Thus, w cannot belong to both 
Hu and H^, meaning that there is no node w such that w e H^ and w E H^. 

Hence, any execution reaches a suffix such that, for any configuration c in this suffix, H^ and 
H^, are distinct. □ 



B.5 Proof of Proposition 13 (Compatible lists) 

Proof. Let c G Csafe be a configuration (Proposition 8). Let w be the first node of fi^ for 
which the list of ancestor's sets is received by v. Then, the only external edges between fl^ 
and known by v are those joining w (external edges are not propagated). Hence, without 
loss of generahty, assume that only these external edges exist between the groups. 

(^) Assume that the conditions are fulfilled. Let u E and u' G aj^ be two nodes in the 
lists of V and w respectively. There exists at most two families of shortest paths from u to 
u', depending on the external edge used to reach w. Let Pi be a path that includes the edge 
{v,w). It starts from u and joins v hj k edges in the group of v, joins w by the edge {u,v) 
and then reaches u' by / edges in the group of u. Let P2 be a path from the second family. It 
starts from u and joins a node v' & by \k — i\ internal edges in the group of v, then joins w 
by the edge {v', w) and then reaches u' by I internal edges in the group of u. 

The length of Pi is bounded by A; -|- 1 -|- g. But since Pi is a shortest path, it is shorter to reach 
u' from u by joining a node of {i.e., v) than by joining a node of al (such as v'). Hence 
we have k < i/2 and the length of Pi is bounded i/2 + 1 + q, which is smaller than Dmax by 
hypothesis. The length of P2 is bounded hy p — i + 1 + q, which is also smaller than Dmax by 
assumption. 

Hence, for any node u and u' belonging to the group of v and w respectively, there exists a 
path from u to u' with less than Dmax edges. The list of w is then compatible with the list of 
V, and can then be accepted by v. 
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(<^) Assume by contradiction that the conditions are not fulfilled and that v accepts the list 
of w, i.e., V includes the list of w by computing its new list with ant — refer to Lines 14 — 16 
of Procedure compute (). That means that the list of w is compatible — refer to Lines 6 — 8 — , 
which contradicts the assumption. Then the nodes of list^ will be propagated in the lists 
of nodes of list^ and reciprocally. But at least one node u G list^ will see that a node 
u' e list^ is too far from it and reciprocally. Either u or u' will reject the lists of its neighbors 
that contain the too far node (depending on the priority between u and u') and either the 
group of V or the group of w splits (when a neighbor is rejected by u, it disappears from list„, 
and then from view^; it is then no more in Hy). □ 
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